Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 05:19
    Firstyear closed #428
  • 05:19
    Firstyear commented #428
  • 02:45

    github-actions[bot] on gh-pages

    deploy: dbb57e9a7b200e87314bd90… (compare)

  • 02:42

    Firstyear on 20210917-further-tracing

    (compare)

  • 02:42

    Firstyear on master

    Remove auditscope for tracing (… (compare)

  • 02:42
    Firstyear closed #580
  • 02:25
    Firstyear synchronize #66
  • 02:25

    Firstyear on benchmarking

    Change to array queueu (compare)

  • Sep 20 12:28
    Firstyear synchronize #66
  • Sep 20 12:28

    Firstyear on benchmarking

    Improve channel bounding (compare)

  • Sep 20 08:49
    Firstyear synchronize #66
  • Sep 20 08:49

    Firstyear on benchmarking

    update Add tlocal (compare)

  • Sep 20 08:18
    Firstyear synchronize #66
  • Sep 20 08:18

    Firstyear on benchmarking

    update (compare)

  • Sep 20 07:35
    Firstyear opened #66
  • Sep 20 07:34

    Firstyear on benchmarking

    Start adding cache benches Updates to bench Add hit pct and 2 more (compare)

  • Sep 17 10:12
    Firstyear review_requested #580
  • Sep 17 10:11
    Firstyear edited #580
  • Sep 17 10:11
    Firstyear edited #580
  • Sep 17 10:05
    Firstyear synchronize #580
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.
Need to make the password/account policy stuff to handle that
IIRC there is an account policy issue already open if you want to brain dump some of your ideas there later?
James Hodgkinson
@yaleman
yeah
Triss Healy
@trissylegs
Annoying with the UID >= 1000 is some AUR packages (ie not maintained by users) make users with useradd during install (standard packages use systemd-sysusers)
A problem I was spend a while cleaning up yesturday
I wonder if I can make a hook that checks if a package I'm about to build does it so I can fix it myself first.
Firstyear
@Firstyear
You don't need the >=1000 check
it's optional
Georg
@georg.hofmann:matrix.org
[m]
Survey completed. Could you let us know if the results are available?
@trissylegs are you still struggling with Pam to login? Did not fully get it here. I had a quick look into your system-auth and think Pam_kanidm.so was missing in the session section. If you want I can share mine, also using Arch.
Best wishes
1 reply
Firstyear
@Firstyear
Thank you! The results will be out in a few weeks, I'm leaving it open for 4 weeks
just to be sure it gets plenty of time etc.
Triss Healy
@trissylegs
So today I got a new SSD and I formatted it with ZFS. ZFS has good subvolumes (named datasets). You can set an encryption key per dataset. So I made my home directory a dataset and set a passphrase key that matches my password.
Then did some PAM magic and now it will only decrypt my home directory on login.
https://blog.trifork.com/2020/05/22/linux-homedir-encryption/
They mention that you can't login with public keys because ~/.ssh/authorized_keys is missing. But for kanidm that is fine. Because it get's the key from kanidm anyway. But, it won't have a password to decrypt the drive :/. I suppose the same goes for gnome-keyring. But that doesn't decrypt via ssh anyway (Probably for the same reason)
*today is now yesturday
Georg
@georg.hofmann:matrix.org
[m]
Cool. I have zfs as well and was thinking of home encryption. But not yet dared to start it. 🤣
Same for gdm,it only shows local users. But it will show once the logged it. I did a bit of research, I think also related how sssd does it, it think this is a dbus issue or. Need to search again.
About my arch Pam. It was just a minimal change. Not as hardened as suggested by kanidm docs. Will share, once I am back at the machine.
Firstyear
@Firstyear
Honestly, I'm probably just overly opinionated here but I think that most machines are single-user, not multi-user so the concept of per-home drive or per-user encryption doesn't make sense to me because there is a 1:1 with the user and the system, so system wide encryption maps to the user anyway
Triss Healy
@trissylegs
Arch wiki simplifies the above to just home drive. Which is basically what I have set up. (And my safety user users the the same password)
The setup above to me is just a nicer version because you get the login screen before needing to decrypt anything. Which is kinda how macOS does it
Firstyear
@Firstyear
Yeah, macos does system wide encryption though.
It's just the user pw + disk pw is bound together
You could do similar with luks if you wrote a pam module for it.
But it would have issues with remote pw's
James Hodgkinson
@yaleman
it's all fine as long as your stuff's backed up somewhere so when some overly touchy random PAM thing bins your stuff you can recover
Firstyear
@Firstyear
lol yeah
But linux backup tools are a bit of a wasteland ....
Georg
@georg.hofmann:matrix.org
[m]
Yeah, backups. I have recently switched to kopia and really like it. It's worth having a look, I would say.
Triss Healy
@trissylegs
So for now I'm just going to auto decrypt my /home on boot. It'll just have the option to change it later
My current backup is Déjà Dup to to my NAS and my NAS is using duplicacy [sic] to b2. Although I'm not happy with duplicacy
Georg
@georg.hofmann:matrix.org
[m]

I was using duplicati which is AFAIK very similar to duplicacy. But was also not super happy. Finally I tried to restore from a different machine and this failed after 4 days and 3 retries. 😵

BTW kopia also supports b2 as storage backend

Triss Healy
@trissylegs
It does look nice
Georg
@georg.hofmann:matrix.org
[m]
On home enc: yes mostly 1:1 true. But IMHO the super correct way of doing this would be per user home (i.e. zfs dataset)
I found some scripts doing this but have not tried so far.
Firstyear
@Firstyear
Yeah duplicity is really unreliable and slow, would not recommend.
@georg.hofmann:matrix.org But per-user home implies a multi-user machine, and that's really rare. These days most computers 1 to 1 map from their own to the only user on that system.
Similar to phones/tablets
Triss Healy
@trissylegs
duplicity != duplicacy. Dplicacy is a lot faster but isn't free. (Well the restore program is free and open source... which is good)
It's also kinda annoying getting things that run on arm32. (Party why I'm going to change my nas to amd64)
Main Multi-user PC I've used is was the family PCs. Now I don't think many families do that much... and they're probably not using per-user disk encryption
James Hodgkinson
@yaleman
I've been using duplicacy and it works pretty well
it's free if you don't want all the management ooling